Before I begin; however, I’d like to take a few moments to explain what Windows Virtual Desktop is and how it can help you deploy and scale Windows and Office on Azure in minutes, with built-in security and compliance.

Windows Virtual Desktop is a comprehensive desktop and app virtualization service that runs in the cloud. Here is a quick list of some of the key features and functionality:

Infrastructure services like gateway, brokering, licensing, diagnostics are provided as a service in Azure. There’s no need to deploy and maintain any on-premises infrastructure.

Once a user is connected to Windows Virtual Desktop service, access to Active Directory joined virtual machines (VMs) will be provided using Azure AD identities. In environments where Active Directory Federation Services (AD FS) is implemented for single sign-on (SSO), the user won’t be prompted for credentials when connecting to the VM, providing a seamless sign-on experience.

Reverse connect technology means your destination VM doesn’t need any inbound ports to be opened. Even the default RDP port, TCP/3389, doesn’t have to be open. Instead, an agent creates an outbound connection using TCP/443 into the Windows Virtual Desktop management plane. Azure is your reverse proxy for RDP traffic.

Virtual machines in Windows Virtual Desktop are not exposed to the Internet directly. They can run using a private IP address and run isolated from other workloads or even the Internet. (The reverse connect technology allows the VMs to be accessed.)

Organizations with “Windows 10 Enterprise E3 Per User” licenses or better (e.g. Windows 10 Enterprise E5 or Microsoft 365 E3, E5, F1, or Business) or RDS CALs can use Windows Virtual Desktop for no additional charge apart from Azure compute/storage and network usage billing. Reserved instances can be used to reduce Azure costs up to 80%.

Now let’s move on to the steps you need to take to get started.

Windows Virtual Desktop prerequisites

To set up Windows Virtual Desktop, you will need a few resources and to complete a few initial setup steps:

An Azure subscription with sufficient credit (needed to host resources).

If you require seamless SSO (HTML5 client excluded), you will need AD FS or users will have to authenticate when gaining access to the VM. (Steps on how to enable this with AD FS will follow at a later stage.)

An Active Directory to which you can join your VMs. For this, you have three options:

Option

Pros

Cons

Use Azure AD DS.

Great for test or isolated environments that do not need connectivity to on-premises resources.

Allow the Windows Virtual Desktop service to access Azure AD

Before you can create a Windows Virtual Desktop tenant, you must allow Windows Virtual Desktop services to access your Azure AD tenant. The way Windows Virtual Desktop is designed requires explicit Azure AD consent. The process is much like how Azure requires you to enable non-standard resource providers before being able to use them.

Add your Azure AD tenant ID, also referred to as the Directory ID, and hit Submit. (Your Azure AD tenant ID can be found by visiting the Microsoft Azure Portal and navigating to Azure Active Directory > Properties > Directory ID, or by using whatismytenantid.com.)

Wait a moment for the consent options to refresh, then change Consent Option to Client App and enter the same Azure AD tenant ID to the field for AAD Tenant GUID or Name. Click Submit to continue.

Assign the “TenantCreator” role to a user account

Once you have granted access to Azure AD, you will need to grant permissions for a user to create a Windows Virtual Desktop tenant as follows:

Select Add user, select Users and groups, and search for the user to whom you want to grant permissions to perform the Windows Virtual Desktop tenant creation.

Select the user and hit Select, followed by Assign.

Your user should now have the role of “TenantCreator.”

Create a Windows Virtual Desktop tenant

Now that you have a user with the right permissions to create a Windows Virtual Desktop tenant, let’s go ahead and create it. During this step, you will need two IDs:

Your Azure AD tenant ID (again).

Your Azure subscription ID, which can be found by visiting the Microsoft Azure Portal and doing a keyword search for “Subscriptions.” Select Subscriptions from the search results and your subscription ID, assuming you have an active subscription, will be displayed below.

Once you have these two IDs, you can create the Windows Virtual Desktop tenant.

Note: Before proceeding, make sure you import the Windows Virtual Desktop cmdlets for Windows PowerShell as described in the prerequisites section above. If you haven’t completed this step yet, see these instructions.

Create a new PowerShell script, modifying the bold variables to reflect your tenant ID and subscription ID, and execute the following commands. When prompted, sign in using the admin account that was assigned to the TenantCreator role.

Hostpool name - Choose something descriptive for the pool of hosts, e.g. “FullDesktop”

Desktop type: Pooled or Personal - Choose Pooled unless you are deploying a virtual desktop infrastructure (VDI) configuration wherein every user has their own dedicated VM.

Default desktop users - Add a comma separated list of users. (Group support will follow later.) You can also use PowerShell to add users to this host pool at a later point.

Subscription – Select Microsoft Azure.

Resource group - Use an empty Resource Group or enter a name to create a new one.

Location - Enter the location where the resources, such as the VMs. will be created. This can be any existing Azure region of your choice.

Note: During Public Preview the Windows Virtual Desktop service will only be offered from East US 2. This means that RDP traffic will flow via East US 2, even if your virtual machines are in a different region. You can use Windows Virtual Desktop regardless of your physical location, but you may experience additional latency. Once Windows Virtual Desktop is rolled out to other regions, there is nothing for you to change. Users will be routed to the nearest Windows Virtual Desktop management plane for optimal performance.

Step 2: Configure the virtual machines

If desired, change the Virtual machine size. For your test environment, which will likely have very few users, you could opt for a smaller size. You can find additional examples and size guidance in the Windows Virtual Desktop pricing guide.

Step 3: Configure VM settings

To configure the VMs for Azure, you will need to:

Select a custom image from Blob storage, a Managed image in Azure, or one from the Gallery. Our recommendation would be to test “Windows 10 Enterprise multi-session with Office 365 ProPlus” from the Azure Gallery. Office 365 ProPlus has been preconfigured for the ideal state of Windows 10 multi-session.

Select the Image OS

Select the Disk Type. SSD is recommended.

Enter credentials that have permissions to join a VM to Active Directory.

(Optional) Specify the domain and/or OU.

(Optional) Use managed disks.

Configure the virtual network and subnet. Pay close attention to this step as this wizard will spin up virtual machines and join them to AD. This means the virtual machine must be able to locate the Domain Controller. Consequently, we recommend opening a separate tab in your browser and validate that:

The DNS server IP address that is assigned to the VM points to the DC or AD DS; this can be configured in multiple locations including on your virtual network.

The DC, VM, and network resources are in the same Azure region. (Otherwise, your deployment is likely to fail.)

Here an example of what step 3 of the wizard could look like:

Step 4: Enter authentication details

Once you have configured your VM settings, you will need to enter details about your Windows Virtual Desktop tenant and Azure AD tenant. Unless otherwise directed, leave the Windows Virtual Desktop tenant group name as “Default Tenant Group.” For the Windows Virtual Desktop tenant name, enter the name of the tenant you created earlier in this process.

Note: If you are unsure what your Windows Virtual Desktop tenant name is, use the PowerShell command “Get-RdsTenant” to obtain it.

Step 6: Finalize the creation of your host pool

Test if a user can access a full desktop session

Once you have created your Windows Virtual Desktop host pool, you can download the client for Android or Windows, or use the HTML5 client. (The Microsoft Remote Desktop Beta for iOS can be tested using TestFlight.) Here’s how to test with Windows or the HTML5 client.

Test with the Windows client

Download the latest Windows Remote Desktop client and subscribe to the feed using the following URL: https://rdweb.wvd.microsoft.com. Once subscribed, you will find the virtualized apps and desktops in the Start menu. You’ll also notice that it’s possible to enable conditional access and/or MFA for users when subscribing to a feed.

Test with the HTML5 client

Launch a browser in privacy or incognito mode and visit http://aka.ms/wvdweb to access the HTML5 client. Authenticate using the login information to which you assigned a full desktop session.

If you are successful, you should be able to view the desktop:

What’s next?

Once you have completed your setup of Windows Virtual Desktop, you can assign other users to your host pool using the following PowerShell command, replacing <WVDTENANTNAME> with the name of your tenant, <HOSTPOOLNAME> with the name of your host pool, and leveraging the appropriate user principal name:

@wonderdog: Microsoft 365 F1 offer will include rights for Windows Virtual Desktop. This is an exception and means that firstline users who are licensed with Microsoft 365 F1 will be able to have access to Windows Virtual Desktop from all of their devices.

@JoelJuma: If your exchange environment supports mobile workers with Office 365 ProPlus today, it will work with Windows Virtual Desktop. If that's not the case and users have to be connected to the office network to access exchange, you couuld consider extending your on-premises network to Azure using use site to site VPN or ExpressRoute.

That's excellent news! The official docs.microsoft page doesnt flag F1 at valid at present- and it'd be a HUGE deal if planning large low cost-per-seat deployments using low cost thin clients as endpoints - for use in callcentres and the like.

@Pieter Wigleven - my environment is a highly sensitive place and although I have an integrated AAD connection which I’m currently using for AIP, I would love to know more about the competitiveness with Citrix as I currently have a huge VDI environment at present. Furthermore do I have this in my normal Azure subscription or it comes with a different subscription.

Took me a while to get the first pool spun up in my lab tenant - your guide for the PowerShell bits was hugely helpful (and the pointers on making sure the DNS/DC was reachable), but then I kept getting stuck at the domain activation step - I eventually spotted that while I'd peered my WVD vnet to the vnet containing my domain controller, I hadn't setup the reverse peer! Doh!

Logged in and working now - but the experience is pretty poor from the UK - I suspect everything is hairpinning via the managed RDP gateway in a US or something, even though my test desktop and I are in the UK.

The beta client also has no options to control the RDP stream - forcing the remote desktop to maximum screen resolution etc. I'm hoping we get some configurability back soon.

Huge potential though - looking forward to trying out a RemoteApp pool next!

If we have Microsoft e3 or e5 what exactly is the added cost of the "Azure compute/storage and network usage billing". I would like to determine if this is more cost effective than our current set up. Any info would be helpful

@sxc7886 Just use the Azure cost calculator to price up appropriately specced guest VM's (plus appropriate storage) based on your requirements. Add in an amount of "out of Azure" network bandwidth if you want, though I reckon it wont be more than about ~5% percent on top of your VM costs under most normal circumstances. You can also power the machines down/up on a timed schedule when not in use (or user reserved instances if they are utilised 24/7) to reduce cost.

The management tooling is free. No need to pay for gateways etc. You will need access to a domain controller somewhere though (might be worth spinning a B2 one up on Azure IAAS in the same region as your pool for about £30 a month?)

If you are using W10 as the OS for your VM's you aren't paying any extra over the cost of the base VM hardware (as these WVD W10 licenses are covered by your M365 e3/e5 entitlement). If you are using Windows Server for your pools you'll still pay a little bit for that licence.

Remember you'll need RDS CAL's per user if you are using Windows Server. M365 e3/e5 don't include this. So consider using W10 multi-session if you are doing session based desktops,

Once you create a host pool is there a way to just delete it? Or is it as simple as just deleting the resources it created under the resource group? I want to start over because I did this before I saw this guide and made some mistakes.

@Jafar1970 About two weeks ago we recorded the "What’s new in virtualizing Windows 10 and Office" session at Ignite the Tour in Amsterdam. The recording is available now and includes the presentation. After GA we will integrate into the Azure portal and many of the steps described here won't be necesarry anymore. Also - you won't have to use PowerShell for the vast majority of management actions. In terms of GA date, we have specific quality gates that we have to meet and therefore an exact date is difficult to give, the official statement is "second half of this calendar year".

I cannot get WVD to work. The deployment completes successfully in Azure (from Marketplace), but I cannot connect to Remote Desktop, neither via web-client or the new Remote Desktop client. The latter says "currently no resources available".

I only have Office 365 E3 licenses (and EMS E3), but no Windows 10 Enterprise E3 licenses in my tenant. Could that be why?

@ullerdkyou will find that your deployment actually failed. It gets right to the end and the VM fails with an extension error.

I get this error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: \\\"winrm quickconfig\\\".\\\".\"\r\n }\r\n ]\r\n }\r\n}"}]}

I haven't had a chance to research this but I was going to try doing this via powershell instead. See if that works better.

My deployment was actually completing successfully (using Azure AD Domain Services), but there was 2 root causes why it was not working:

1. Get-RdsSessionHost reported status as "unavailable". Turned out, that when re-deploying you must use another prefix for the rds hosts according to this

2. Only 1 of 2 Azure AD account can login to the Win10 virtual desktop. The second user needs to reset password in Azure AD, so the password hash can sync back to Azure AD Domain services, which is required due to hash format according to this.

Excellent Article , i did it in my labs all works fine . the only issue that i had with the installation is when it asked you to put your admin account in the section Client App didn't works it gave me an error Tenant ID error so i add the tenant name instead then it works fine with client permissions .

so in my setup i choose ADDS with Password Synced then i synced with PowerShell the Hash password from AD azure to ADDS , i configured windows 2019 server joined to ADDS just for test, follow the guide all works fine i can remote to VM very easily ,

Now the next step is to published and manage Apps !!! i tried but it give me error :

to Allow the Windows Virtual Desktop service to access Azure ADI did the below steps:1- Navigate to https://rdweb.wvd.microsoft.com.Add your Azure AD tenant ID, also referred to as the Directory ID, and hit Submit.

Check in your azure portal that you have at least one Session Desktop Virtual machine available and turned on? If they are 1:1 you might have another connection open to all machines in the pool already as well.

On my labs i'm using ADDS as DC I have AD connect that synced from AD-On premises to AD azure with Sync password options , also you need to make sure that the Password Hash is Synced from AD azure to ADDS with this command :

The accounts that I am specifying in "defaultDesktopUsers" are accounts that are synced between AD and AAD.I can successfully connect to the Windows Virtual desktop tenant from the URL: https://rdweb.wvd.microsoft.com/webclient/index.html. using the accounts specified in defaultDesktopUsers ,However, when i connect to the remote session, it throws the error:

Should the TenantCreator user has global administrator or which directory role should user has? In the document, the administrator account is mentioned, but there is not a directory role called administrator account.